https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-outbound-policy/m-p/584531#M3035 <P>Hi</P> <P>What is the best practice policy outbound from the FW itself (i.e management )?</P> <P>Allow any out? *.palotalto.com?</P> <P>&nbsp;</P> Mon, 22 Apr 2024 20:24:19 GMT chens 2024-04-22T20:24:19Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-outbound-policy/m-p/584531#M3035 <P>Hi</P> <P>What is the best practice policy outbound from the FW itself (i.e management )?</P> <P>Allow any out? *.palotalto.com?</P> <P>&nbsp;</P> Mon, 22 Apr 2024 20:24:19 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-outbound-policy/m-p/584531#M3035 chens 2024-04-22T20:24:19Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-outbound-policy/m-p/584657#M3044 <P>Hello,</P> <P>&nbsp;</P> <P>It depends on what your needs would be and how locked down you want to be. For example if you use Stata Logging Service (Cortex Data Lake) There are things like&nbsp;<SPAN>*.gpcloudservice.com and ocsp.godaddy.com&nbsp;needed. Personally I would just recommend doing it by app-id, for the Palo services that are various app-ids for the services and the documentation should list it. For example, here is Strata Logging Services:&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Claw4609_0-1713891749755.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59236i5118022929E25A68/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Claw4609_0-1713891749755.png" alt="Claw4609_0-1713891749755.png" /></span></P> <P><A href="https://docs.paloaltonetworks.com/strata-logging-service/administration/planning/ports-and-fqdns" target="_blank">TCP Ports and FQDNs Required for Strata Logging Service (paloaltonetworks.com)</A></P> <P>&nbsp;</P> Tue, 23 Apr 2024 17:02:35 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-outbound-policy/m-p/584657#M3044 Claw4609 2024-04-23T17:02:35Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-outbound-policy/m-p/586065#M3138 <P>Create a custom URL list with all the palo FQDNs they recommend, make sure you have service route configured correctly if using anything other than Mgmt. Then use all the palo app-id selections with application default. Watch the logs over a few day for any URLs its trying to hit that might be palo related. Also use policy optimizer to slim down your app usage and rid of any apps your policy isn't using.&nbsp;</P> Tue, 07 May 2024 18:43:07 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-outbound-policy/m-p/586065#M3138 S_Williams901 2024-05-07T18:43:07Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-outbound-policy/m-p/586085#M3142 <P>Hello,</P> <P>Along with the above already mentioned, disable all content inspection and ssl decryption, etc.</P> <P>&nbsp;</P> <P>Regards,</P> Tue, 07 May 2024 20:45:45 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-outbound-policy/m-p/586085#M3142 OtakarKlier 2024-05-07T20:45:45Z